Marriott, the world’s largest hotel chain operator, has been slapped with a class-action lawsuit over the data breach now believed to affect more than 300 million people. The suit, brought by more than 150 past hotel guests, according to Vox, is at least the second to surface since the breach was disclosed in late November.
Filed in Maryland federal district court on January 9, the massive suit includes plaintiffs in dozens of states where it alleges laws were violated. It accused Marriott of involvement in “deceptive, unconscionable, and substantially injurious practices”.
In addition to seeking compensatory damages and other forms of relief deemed appropriate by the court, the suit seeks an injunctive relief to prohibit Marriott from “continuing to engage” in “unlawful acts, omissions, and practices...”
The plaintiffs are represented by five law firms: DiCello Levitt & Casey LLC; Hausfeld LLP; Cohen Milstein Sellers & Toll PLLC; Cohen & Gresser LLP; and Kramon & Graham PA.
Marriott declined to comment.
In its most recent update on January 4, Marriott International said the personal information of fewer than 383 million former guests may have been accessed without authorisation. The company has yet to provide any details regarding the cause of the breach, but it said roughly 345,000 unexpired payment cards stored in its database may also be compromised. The initial intrusion is said to date back to 2014.
The breach of Marriott’s Starwood reservation system is one of the largest in recent history, potentially dwarfing the 2017 Equifax incident by more than a hundred million victims. The hotel chain operates over 6700 properties in nearly 130 countries and territories, according to the company.
Marriott’s disclosure, as is customary now after a breach of this magnitude, prompted renewed calls for Washington lawmakers to address the need for a US national data privacy law, something Democrats have said is a top priority in 2019 following the party’s takeover of the House of Representatives.
Marriott was previously sued in Maryland by a separate law firm, Morgan & Morgan, in late November. John Yanchunis, an attorney for the firm, told Gizmodo it was both “shocking and horrifying” that it took years for the company to detect the breach.
“Large, sophisticated companies like Marriott are not blind to the risks posed by cyber criminals, who are constantly attempting to infiltrate corporations that store sensitive consumer information,” he said.